5G Security and Resilience
The Fifth Generation of wireless technology, or 5G, will enable new innovation, new markets, and economic growth around the world. Tens of billions of new devices will be connected to the Internet through 5G technology. These connections will empower a vast array of new and enhanced critical services, from autonomous vehicles and telemedicine, to automated manufacturing and advances to traditional critical infrastructure, such as smart grid electricity distribution. Given 5G’s scope, the stakes for safeguarding these vital networks could not be higher. CISA is leading risk mitigation efforts across the federal government and is committed to working with government and industry partners to ensure the security and integrity of 5G technology in our nation.
What is 5G?
5G is the next generation of wireless technology that represents a complete transformation of telecommunication networks. Combining new and legacy technology and infrastructure, 5G will build upon previous generations in an evolution that will occur over many years, utilizing existing infrastructure and technology. 5G builds upon existing telecommunication infrastructure by improving the bandwidth, capacity, and reliability of wireless broadband services. The evolution will take years, but the goal is to meet increasing data and communication requirements, including capacity for tens of billions of connected devices that will make up the Internet of Things (IoT).
When will 5G be Available?
Widespread usage of a standalone 5G network is not expected until at least 2022. In the interim, the continued exponential increase of connected devices will utilize 4G, 4G Long-Term Evolution (LTE), and 4G/5G hybrid infrastructures for internet connectivity.
Vulnerabilities of 5G Adoption
The move to 5G presents opportunities to enhance security and create a better user experience; however, it may result in vulnerabilities related to supply chains, deployment, network security, and the loss of competition and choice. While not all inclusive, there are a range of vulnerabilities that could increase risk for the United States as the country’s networks migrate to 5G, including: reliance on untrusted entities and the global supply chain, lack of participation by untrusted companies in interoperability efforts, increased size of 5G infrastructure, integration within existing vulnerable networks, and untrusted company development of custom code for Information and Communication Technologies (ICT) components.
Issue: The 5G supply chain is susceptible to the malicious or inadvertent introduction of vulnerabilities such as malicious software and hardware; counterfeit components; and poor designs, manufacturing processes, and maintenance procedures.
Impact: 5G hardware, software, and services provided by untrusted entities could increase the risk of network asset compromise and affect data confidentiality, integrity, and availability. Even if U.S. networks are secure, U.S. data that travels overseas through untrusted telecommunications networks is potentially at risk of theft, manipulation, and destruction.
Issue: 5G will utilize more information and communication technology (ICT) components than previous generations of wireless networks, and municipalities, companies, and organizations may build their own local 5G networks, potentially increasing the attack surface for malicious actors.
Impact: Despite security enhancements compared to previous generations of wireless network equipment and services, 5G networks will need to be properly configured and implemented for those enhancements to be effective. Improperly deployed, configured, or managed 5G equipment and networks may be vulnerable to disruption and manipulation.
Issue: 5G builds upon previous generations of wireless networks and will initially be integrated with 4G LTE networks that contain some legacy vulnerabilities. Additionally, it is unknown what new vulnerabilities will be discovered in 5G networks.
Impact: Some legacy vulnerabilities, whether accidental or maliciously inserted by untrusted suppliers, may affect 5G equipment and networks no matter how much additional security is built in.
Loss of Competition and Choice
Issue: Despite the development of standards designed to encourage interoperability, some companies (including Huawei) build proprietary interfaces into their technologies. This limits customers’ abilities to use other equipment, either in addition to or in replacement of Huawei technology.
Impact: Customers who are locked into one technology or service provider may have to choose between continuing to use an untrusted supplier or removing and replacing existing equipment; which may be both expensive and time consuming. Lack of interoperability may also make it difficult for trusted companies to compete, potentially limiting their ability to invest in R&D and eventually driving them out of the market.
CISA’s Role in 5G Adoption
CISA is leading 5G risk mitigation efforts to ensure that the U.S. can fully benefit from all the advantages 5G connectivity promises to bring. Through its unique authorities, the agency is working with government and industry to ensure there is policy, legal, security, and safety frameworks in place to fully leverage its technology while mitigating its significant risks. Recently, CISA worked with the IT and Communications sectors to produce a 5G Risk Characterization product that provides a concise and easily understood overview of the wide range of risks 5G will introduce before, during, and after deployment. It provides a foundational baseline that both the U.S. government and industry can reference as common ground during the deployment of 5G.
CISA has provided an analysis of the vulnerabilities likely to affect the secure adoption and implementation of 5G technologies. This analysis represents the beginning of CISA’s thinking on this issue, and not the culmination of it. It is not an exhaustive risk summary or technical review of attack methodologies.